- Issued:
- 2007-11-15
- Updated:
- 2007-11-15
RHBA-2007:0792 - Bug Fix Advisory
Synopsis
nss_ldap bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated nss_ldap packages which address several bugs and add enhancements
are now available.
Description
The nss_ldap module is an extension for the C library which allows
directory servers to be used as the source of information about users,
groups, and assorted other items.
These updated packages fix the following bugs:
- in certain circumstances nss_ldap failed to increase the size of the
buffer it filled with groups. If a user was a member of a large number of
groups (greater than 64 in reported cases), when said group was enumerated
using the "nscd -d" command a segmentation fault occurred. The segmentation
fault is caused by nss_ldap and occurs in glibc. However, the segmentation
fault shows up in any program that uses nss_ldap ie nscd, sshd, su, login
etc. In this situation nss_ldap could corrupt the glibc heap, and the
following errors occurred:
- ** glibc detected *** malloc(): memory corruption: 'hexadecimal address'
- **
- ** glibc detected *** malloc(): memory corruption (fast):
'hexadecimal address' ***
(The value of 'hexadecimal address' will be different in each error).
This issue could also cause httpd to crash when pulling data from a
Lightweight Directory Access Protocol (LDAP) server.
- nss_ldap could cause a corrupt heap if it was provided with an
initially-empty list of groups by libc.
- if do_bind() failed or the descriptor owner changed, LDAP connections
leaked. This consumed a large number of sockets during failover.
- nss_ldap would continue trying to connect to a directory server even when
Name Service Switch (NSS) reported the server as unavailable (ie returned
NSS_UNAVAIL). This updated version only attempts a server re-connect when
it is asked to do so (ie receives an NSS_TRYAGAIN message).
This update also adds the following enhancements:
- backported "nss_initgroups backlink" functionality, which is configured
in ldap.conf. This allows you to query for the "memberOf" attribute rather
than "uniqueMember", which could lead to performance increases on certain
directory servers.
- backported "nss_initgroups_ignoreusers" functionality, which is
configured in ldap.conf. This allows the nss_ldap implementation of
initgroups to return "NSS_STATUS_NOTFOUND" for the usernames specified,
which could be used to prevent queries to LDAP servers for local users if
said server was unavailable.
All nss_ldap users should upgrade to these updated packages, which resolve
these issues and add these enhancements.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
Affected Products
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
Fixes
(none)CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 4
SRPM | |
---|---|
nss_ldap-226-20.src.rpm | SHA-256: 72bf4f003c44dbfd5019ef6386e71b37c1d244731ade05dc05a2fe8019d0f0ec |
x86_64 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.x86_64.rpm | SHA-256: 8a90fba4b3450edd66f3ac93bd159e18fa85dbec48d023e6ae9145db0a0f59c4 |
nss_ldap-226-20.x86_64.rpm | SHA-256: 8a90fba4b3450edd66f3ac93bd159e18fa85dbec48d023e6ae9145db0a0f59c4 |
ia64 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.ia64.rpm | SHA-256: b56e43d8cbf53c8aa3db52ada1d9e45c070610a042feb4a39e6efbb89211e6eb |
nss_ldap-226-20.ia64.rpm | SHA-256: b56e43d8cbf53c8aa3db52ada1d9e45c070610a042feb4a39e6efbb89211e6eb |
i386 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
Red Hat Enterprise Linux Workstation 4
SRPM | |
---|---|
nss_ldap-226-20.src.rpm | SHA-256: 72bf4f003c44dbfd5019ef6386e71b37c1d244731ade05dc05a2fe8019d0f0ec |
x86_64 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.x86_64.rpm | SHA-256: 8a90fba4b3450edd66f3ac93bd159e18fa85dbec48d023e6ae9145db0a0f59c4 |
ia64 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.ia64.rpm | SHA-256: b56e43d8cbf53c8aa3db52ada1d9e45c070610a042feb4a39e6efbb89211e6eb |
i386 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
Red Hat Enterprise Linux Desktop 4
SRPM | |
---|---|
nss_ldap-226-20.src.rpm | SHA-256: 72bf4f003c44dbfd5019ef6386e71b37c1d244731ade05dc05a2fe8019d0f0ec |
x86_64 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
nss_ldap-226-20.x86_64.rpm | SHA-256: 8a90fba4b3450edd66f3ac93bd159e18fa85dbec48d023e6ae9145db0a0f59c4 |
i386 | |
nss_ldap-226-20.i386.rpm | SHA-256: ffa20c79d88f5b4860aa22bf0f776df5722c5cebe4256f9a29760b8286fc0fc0 |
Red Hat Enterprise Linux for IBM z Systems 4
SRPM | |
---|---|
nss_ldap-226-20.src.rpm | SHA-256: 72bf4f003c44dbfd5019ef6386e71b37c1d244731ade05dc05a2fe8019d0f0ec |
s390x | |
nss_ldap-226-20.s390.rpm | SHA-256: 4f3072b3362e039e7b7205574e459f931bba2be5c6957305bd33bda238cafde0 |
nss_ldap-226-20.s390x.rpm | SHA-256: 4cebdec04c1dc735798c9a0ed773142744fa320a4ed9e8f128d4d25bb4d783df |
s390 | |
nss_ldap-226-20.s390.rpm | SHA-256: 4f3072b3362e039e7b7205574e459f931bba2be5c6957305bd33bda238cafde0 |
Red Hat Enterprise Linux for Power, big endian 4
SRPM | |
---|---|
nss_ldap-226-20.src.rpm | SHA-256: 72bf4f003c44dbfd5019ef6386e71b37c1d244731ade05dc05a2fe8019d0f0ec |
ppc | |
nss_ldap-226-20.ppc.rpm | SHA-256: c8288b195690b7a54ed8a2f8b183db40bcc10b6ad15a7aee28a6739aad365f95 |
nss_ldap-226-20.ppc64.rpm | SHA-256: 4d953c27e63d8910e3deb6b2e6e0edd16beba41596a70eec30c2c422f0850667 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.